WordPress Security Checklist 2026: A Practical Hardening Guide
WordPress powers 43% of the web—which makes it a massive target. Here’s a practical checklist to harden your site against the attacks we’re seeing in 2026.
Reading time: 10 minutes
The Short Answer
Most WordPress sites get hacked through three vectors: weak passwords, outdated plugins, and vulnerable themes. Address those three, and you’ve eliminated 90% of your risk. The rest of this guide covers the details and the additional hardening that separates “probably fine” from “properly secured.”
The 2026 Threat Landscape
Before diving into the checklist, it’s worth understanding what attackers are actually doing right now:
- Automated credential stuffing — Bots try username/password combinations from data breaches. If you’ve reused passwords anywhere, you’re vulnerable.
- Plugin vulnerabilities — Attackers monitor security disclosures and start scanning for vulnerable sites within hours of public disclosure.
- Supply chain attacks — Compromised plugins that update to malicious versions. This happened with several major plugins in 2024-2025.
- AI-enhanced attacks — Phishing emails and social engineering are more convincing than ever. Your weakest link is often human.
- Cryptomining and SEO spam — Many attackers don’t steal data—they inject cryptocurrency miners or spam links that damage your SEO.
The Checklist
1. Access Control (Critical)
| Item | Priority | Effort |
|---|---|---|
| Use strong, unique passwords for all accounts | Critical | 5 min |
| Enable two-factor authentication (2FA) | Critical | 15 min |
| Limit login attempts (brute force protection) | Critical | 5 min |
| Change default “admin” username | High | 10 min |
| Audit user accounts, remove unused ones | High | 15 min |
| Use application passwords for API access | Medium | 10 min |
Implementation notes:
- Password managers are mandatory. Use 1Password, Bitwarden, or similar. No passwords should be memorable—they should be random 20+ character strings.
- For 2FA, plugins like Wordfence or WP 2FA work well. Prefer TOTP apps (Google Authenticator, Authy) over SMS.
- Login limiting is built into Wordfence. Default is 20 attempts before lockout—consider reducing to 5.
2. Plugin and Theme Security (Critical)
| Item | Priority | Effort |
|---|---|---|
| Update all plugins immediately when updates available | Critical | Ongoing |
| Delete unused plugins (deactivated isn’t enough) | Critical | 15 min |
| Delete unused themes (keep only active + one default) | High | 10 min |
| Enable auto-updates for security releases | High | 5 min |
| Audit plugins for abandonment (no updates in 2+ years) | High | 30 min |
| Review plugin permissions and data access | Medium | 30 min |
Implementation notes:
- Deactivated plugins are still attack vectors. Their code is still on your server. If you’re not using it, delete it.
- Nulled (pirated) themes and plugins are the #1 source of malware. Never use them. If you can’t afford a premium plugin, use a free alternative.
- Check last update dates on all plugins. A plugin that hasn’t been updated in 2+ years is likely abandoned and may have unpatched vulnerabilities.
3. WordPress Core Hardening
| Item | Priority | Effort |
|---|---|---|
| Keep WordPress core updated | Critical | 5 min |
| Disable file editing in wp-admin | High | 2 min |
| Set proper file permissions (644/755) | High | 15 min |
| Protect wp-config.php | High | 5 min |
| Disable XML-RPC if not needed | Medium | 5 min |
| Disable REST API user enumeration | Medium | 10 min |
| Hide WordPress version | Low | 5 min |
Implementation notes:
Add to wp-config.php to disable file editing:
define('DISALLOW_FILE_EDIT', true);This prevents attackers from modifying theme/plugin files through wp-admin if they gain access.
File permissions should be:
- Directories: 755
- Files: 644
- wp-config.php: 400 or 440
Never use 777 permissions on anything.
4. Security Plugins and Monitoring
| Item | Priority | Effort |
|---|---|---|
| Install a security plugin (Wordfence, Sucuri, etc.) | Critical | 15 min |
| Enable Web Application Firewall (WAF) | Critical | 5 min |
| Configure security alerts to email | High | 10 min |
| Schedule regular malware scans | High | 5 min |
| Enable file integrity monitoring | Medium | 5 min |
| Monitor login attempts | Medium | 5 min |
Recommended configuration (Wordfence):
- Enable the firewall in “Learning Mode” for a week, then switch to “Enabled and Protecting”
- Set max login attempts to 5
- Enable “Block fake Google crawlers”
- Enable daily malware scans
- Configure email alerts for critical issues
5. Backup and Recovery
| Item | Priority | Effort |
|---|---|---|
| Automated daily backups | Critical | 30 min |
| Store backups off-site (not on the same server) | Critical | 15 min |
| Test backup restoration at least annually | High | 1 hour |
| Keep 30+ days of backup history | High | 5 min |
| Document restoration procedure | Medium | 30 min |
Backup options:
- UpdraftPlus (free) — Backs up to Dropbox, Google Drive, S3, etc.
- BlogVault (paid) — Real-time backups, staging, migration
- Host-level backups — Many managed hosts include automatic backups
Critical: A backup on the same server isn’t a backup. If the server is compromised or destroyed, you lose both the site AND the backup.
6. Hosting and Infrastructure
| Item | Priority | Effort |
|---|---|---|
| Use HTTPS everywhere (SSL certificate) | Critical | 15 min |
| Keep PHP version current (8.1+ in 2026) | Critical | 15 min |
| Use SFTP, never FTP | High | 5 min |
| Disable directory listing | High | 5 min |
| Set security headers (CSP, HSTS, X-Frame-Options) | Medium | 30 min |
| Consider a CDN with DDoS protection | Medium | 1 hour |
PHP version matters. Old PHP versions (7.4 and earlier) no longer receive security patches. If your host doesn’t support PHP 8.1+, it’s time to switch hosts.
Security headers can be set via plugins like “HTTP Headers” or at the server level:
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin7. Database Security
| Item | Priority | Effort |
|---|---|---|
| Change default table prefix (wp_) | Medium | Complex on existing sites |
| Use strong database password | High | 15 min |
| Limit database user permissions | Medium | 15 min |
| Disable remote database access | High | 5 min |
Note: Changing the table prefix on an existing site is risky and can break things. For new sites, set a unique prefix during installation. For existing sites, focus on other hardening measures first.
The Minimum Viable Security Stack
If you’re overwhelmed, start here. This covers 90% of attack vectors with minimal effort:
- Install Wordfence (free tier is fine) — Configure firewall, login protection, and scan
- Enable 2FA on all admin accounts
- Update everything — Core, plugins, themes, PHP
- Delete unused plugins and themes
- Set up automated off-site backups
- Add DISALLOW_FILE_EDIT to wp-config.php
Do these six things and you’re ahead of 95% of WordPress sites on the internet.
What NOT to Worry About
Some “security” advice is outdated or low-value:
- Hiding the wp-login.php URL — Provides minimal benefit, can break things, and attackers will find it anyway through xmlrpc.php or REST API.
- Changing the admin username after the fact — If you already have a non-“admin” username, don’t stress about it.
- Multiple security plugins — Use ONE security plugin. Multiple plugins conflict and slow your site.
- Obscuring WordPress version — Attackers don’t care what version you’re running; they scan for specific vulnerabilities.
Signs Your Site May Be Compromised
Watch for these warning signs:
- Unknown admin users appearing
- Files with recent modification dates that you didn’t change
- Strange redirects (especially for mobile users)
- Google Search Console warnings about malware or spam
- Dramatically increased server resource usage
- Customer complaints about pop-ups or redirects
- New pages or posts you didn’t create
- Site loads slowly with unexplained PHP processes
If you see any of these, assume compromise until proven otherwise. Take the site offline, restore from a known-good backup, and investigate.
Ongoing Maintenance
Security isn’t a one-time project. Build these habits:
- Weekly: Check for and apply updates
- Monthly: Review user accounts, check security scan results
- Quarterly: Audit plugins (still needed? still maintained?)
- Annually: Test backup restoration, review security configuration
Need Professional Help?
Our WordPress Performance & Security package includes a comprehensive security audit, hardening implementation, and ongoing monitoring. With OSCP/OSCE certifications and Synack Red Team experience, we bring enterprise security expertise to businesses of any size.
If you’re not confident in your current WordPress security posture—or if you’ve experienced a breach and need remediation—let’s talk.